Home
User Guide
The information contained in this section applies to WebSphere Commerce Version 8. The documentation also applies to all subsequent releases and modifications until otherwise indicated in a newer section.WebSphere Commerce is a single, unified e-commerce platform that offers the ability to do business directly with consumers (B2C), directly with businesses (B2B), and indirectly through channel partners (indirect business models). WebSphere Commerce is designed to be a customizable, scalable, and high availability solution that is built to leverage open standards. It provides easy-to-use tools for business users to centrally manage a cross-channel strategy. Business users can create and manage precision marketing campaigns, promotions, catalog, and merchandising across all sales channels.
Securing
These topics describe the security features of WebSphere Commerce and how to configure these features.
Site security considerations
To enhance the security of your WebSphere Commerce site, you can enable various features in Configuration Manager and the Administration Console.
Security consideration for the Internet Information Services (IIS) web server
If you are using the IIS web server with WebSphere Commerce, you must be aware of the following security consideration and take the recommended action to minimize any security exposure of your WebSphere Commerce data.

User Guide
The information contained in this section applies to WebSphere Commerce Version 8. The documentation also applies to all subsequent releases and modifications until otherwise indicated in a newer section.WebSphere Commerce is a single, unified e-commerce platform that offers the ability to do business directly with consumers (B2C), directly with businesses (B2B), and indirectly through channel partners (indirect business models). WebSphere Commerce is designed to be a customizable, scalable, and high availability solution that is built to leverage open standards. It provides easy-to-use tools for business users to centrally manage a cross-channel strategy. Business users can create and manage precision marketing campaigns, promotions, catalog, and merchandising across all sales channels.
- Planning
  Creating a custom implementation of a WebSphere Commerce store requires a significant amount of planning. From gathering client needs, to deploying the live solution, much work is needed to successfully deploy a custom client store. Use the resources in here to help you plan every phase of store creation.
- Installing
  Review the following sections for information about installing the WebSphere Commerce product, associated maintenance, and WebSphere Commerce enhancements.
- Migrating
  Before you migrate to WebSphere Commerce Version 8.0, review this information to help plan and execute your migration.
- Deploying
  The topics in this section describe how to publish stores to either a test or production environment, and how to deploy customized code.
- Operating
- Integrating
  Topics in the Integrating category highlight the tasks that are commonly performed for using WebSphere Commerce in combination with other products.
- Administering
- Tutorials
  WebSphere Commerce provides many tutorials to help you customize and understand your WebSphere Commerce instance and stores.
- Samples
- Developing
  The topics in the Developing section describe tasks performed by an application developer.
- Compliance
  The following section describes how you can leverage WebSphere Commerce features and functionality to help your site be compliant with different privacy and security standards.
- Securing
  These topics describe the security features of WebSphere Commerce and how to configure these features.
  - WebSphere Commerce security model
    Authentication is the process of verifying that users or applications are who they claim to be. In a WebSphere Commerce system, authentication is required for all users and applications that access the system, except for guest customers.
  - WebSphere Commerce authentication model
    The WebSphere Commerce authentication model is based on the following concepts: challenge mechanisms, authentication mechanisms and user registries.
  - Authorization
    WebSphere Commerce views access control or authorization as the process of verifying that users or applications have sufficient authority to access a resource. This section describes the details of several aspects of WebSphere Commerce access control.
  - Security standards
    Some main security standards are: NIST SP 800-131A, FIPS 140-2 and PCI.
  - Security bulletins
    WebSphere Commerce releases security bulletins for APARs that address issues that are considered to be security vulnerabilities. These bulletins provide security risk assessment information to help you assess if a particular issue might impact your organization.
  - Security fixes
    The following WebSphere Commerce releases contain security fixes for defects that are considered to be security vulnerabilities. The following details provide security risk assessment information to help you assess if a particular issue might impact your organization.
  - Hardening site security checklist
    To harden the security of your WebSphere Commerce site, you can enable and configure various security features. In addition, site customizations must always be made to comply with best practices as outlined in this document.
  - Site security considerations
    To enhance the security of your WebSphere Commerce site, you can enable various features in Configuration Manager and the Administration Console.
    - Enabling timeout
      After an extended period, when the timeout feature for your store is enabled, your storefront session is logged off. Session timeout settings can be changed for the enhanced security of your site.
    - Enabling password invalidation
      Password invalidation, when enabled, requires WebSphere Commerce users to change their password if the user's password is expired. In this case, the user is redirected to a page where they are required to change their password. Users are not able to access any secure pages on the site until they change their password.
    - Encrypting data
      This section contains information about the important steps involved when ensuring the security of your site. There are different encryption options available including information on Key Locator Framework, where you encrypt your data, how to change your session encryption keys and how to develop custom code using EncryptionFactory.
    - Enforcing TLS Version 1.2
      Require the use of the latest version of the TLS security protocol for communication on your site. This process ensures that any weakness in previous versions, or older, less secure protocols, cannot be used by malicious parties to obtain sensitive data.
    - Enabling the X-Frame-Options header
      You can configure the X-Frame-Options header settings to help you protect your site against Clickjacking. Clickjacking is a technique that tricks a web user into clicking a malicious site, thinking that it is your site. This malicious site can then reveal confidential information or take control of the user's computer.
    - Enabling cross-site scripting protection
      When enabled, cross-site scripting protection rejects any user requests that contain attributes (parameters) or strings that are designated as not allowable. You can also exclude commands from cross-site scripting protection by allowing the values of specified attributes for that particular command to contain prohibited strings. Cross-site scripting protection is enabled by default.
    - Disabling cross-site scripting protection for the Management Center
      When enabled, cross-site scripting protection rejects any user requests that contain attributes (parameters) or strings that are designated as not allowable. You can also exclude commands from cross-site scripting protection by allowing the values of specified attributes for that particular command to contain prohibited strings. Cross-site scripting protection is enabled by default, but you can disable it to match your security needs.
    - Enabling WhiteList data validation
      When enabled, WhiteList data validation ensures that when a URL command or view is run, the parameter values conform to a specified regular expression. For example, you can configure it so that the storeId must be an integer. When a WhiteList violation is detected, the request is changed to the ProhibCharEncodingErrorView view. WhiteList data validation is disabled by default.
    - Enabling cross-site request forgery protection
      Cross-site request forgery (CSRF) is a type of malicious attack that tricks a user into sending unintended requests. For example, an attacker can trick an authenticated user into clicking a link to update their personal information. WebSphere Commerce accepts this request as valid, as proper session cookies exist as part of the request.
    - Enabling cross-site request forgery protection in REST
      Enabling cross-site request forgery (CSRF) protection is recommended when using REST APIs with cookies for authentication. If your REST API uses the WCToken or WCTrustedToken tokens for authentication, then additional CSRF protection is not required.
    - Enabling URL redirect filtering
      When you enable URL redirect filtering, WebSphere Commerce rejects any requests that try to redirect to an unauthorized site. This feature is used to prevent phishing attacks where a link in a WebSphere Commerce site sends the shopper to another site.
    - Enabling access logging
      When enabled, the access logging feature logs either all incoming requests to the WebSphere Commerce Server or only the requests resulting in access violations. Examples of access violations are authentication failure or insufficient authority to execute a command. When enabled, access logging allows a WebSphere Commerce administrator to quickly identify security threats to the WebSphere Commerce system.
    - Enabling SSL for outbound web services
      You can enable SSL for web services that are created by using the WebSphere Commerce web services or Rational Application Developer.
    - Encrypting data in custom code using EncryptionFactory
      EncryptionFactory is a factory class that initializes all of the encryption provider classes that are used at runtime for encrypting and decrypting data. All encryption providers must implement the com.ibm.commerce.foundation.common.util.encryption.EncryptionProvider interface.
    - Security consideration for the Internet Information Services (IIS) web server
      If you are using the IIS web server with WebSphere Commerce, you must be aware of the following security consideration and take the recommended action to minimize any security exposure of your WebSphere Commerce data.
    - Web server security considerations
      Be aware of the following security considerations for your web server and take the recommended actions to minimize any security exposure.
    - Setting up account related policies
      For enhanced security of your site, ensure that you are aware and up to date on all account related policies.
    - Enabling password-protected commands
      When the password-protected commands feature is enabled, WebSphere Commerce requires registered users who are logged onto WebSphere Commerce to enter their password before continuing a request that runs designated WebSphere Commerce commands. When you configure password-protected commands, be aware of the consequences of specifying a command that can be run by generic and guest users. Configuring such commands as password-protected will prevent generic and guest customers from running them.
    - Configuring storefront Reset Password feature to use validation codes
      Some stores are configured to generate an arbitrary temporary password for a registered user when the user requests to reset a forgotten password. For added security, you can configure the Reset Password URL to send a randomly generated validation code instead of a temporary password.
    - Prevent privileged users from logging in externally
      Starting in Mod Pack 1 (8.0.1.0), the wc-server.xml file is updated to include a customizable web server header, which can be used to control whether privileged users can log in to the store from external networks. This framework reduces the possibility of an external attack if an account with administrative level access, such as a customer service representative or site administrator, is compromised.
  - Session management
    Browsers and e-commerce sites use HTTP to communicate. HTTP is a stateless protocol, which means that each command is run independently without any knowledge of the commands that came before it. Because it is a stateless protocol, sessions must be managed between the browser side and the server side.
  - Quick reference to user IDs, passwords, and Web addresses
    Administration in the WebSphere Commerce environment requires a variety of user IDs. These user IDs along with their requisite authorities are described in the following list. For the WebSphere Commerce user IDs, the default passwords are identified.
  - Enabling WebSphere Application Server security
    You can enable WebSphere Application Server security, which includes two orthogonal components: WebSphere global security and Java 2 security.
- Performance
- Troubleshooting

Security consideration for the Internet Information Services (IIS) web server

If you are using the IIS web server with WebSphere Commerce, you must be aware of the following security consideration and take the recommended action to minimize any security exposure of your WebSphere Commerce data.

For the IIS web server, read permission on a Virtual Directory provides access to the source code of JSP files. To prevent download of the JSP source code, you must physically separate the static content from the dynamic content of your web pages, if you are using the IIS web server. This configuration is necessary because IIS security is based on directory location, rather than file type. Under the default IIS configuration, the image files and JSP files are located under a single alias. Use the default configuration for testing purposes only.

By default, files in the META-INF and WEB-INF folders for each WAR can be served directly to a browser. It is the responsibility of IIS web server administrators to implement access control to prevent the serving of these files

To secure all web assets, the dynamic content must be accessed using a Virtual Directory with execute-only (not read) permissions. Move static content to a different Virtual Directory with read-only permission. For more information about setting permissions on a Virtual Directory, see the instructions in the IIS help information. Consult the current Microsoft documentation on security patches and configuration policies.

For security reasons, be sure to disable HTTP TRACE support in your web server. Use the URLScan tool to deny HTTP TRACE requests or to allow only the methods that are needed to meet site requirements and policy. For more information, see the Microsoft documentation about using URLScan on IIS.